A quick reminder as we settle in to 2012: Security doesn’t just take place at the firewall or via a messaging security appliance. While these security devices are crucial, traditional security breaches still take place. And in this equally savage age of litigation, these traditional crimes can make your company accountable.
There's a good chance your company has employees making through-the-mail, post-Cyber Monday holiday gift returns that require a copy of their drivers license -- a policy enforced by retailers including Best Buy to ensure electronic receipts aren't reprinted and reused, opening the door to multiple return fraud. The employees no doubt are making copies of their driver's license on your company’s multi-function printer/scanner/copier, and this photoelectric information is stored on the printer device (a common storage function on business machines sold by Xerox, Oki and Canon).
That means the employee's personal information is now stored in two different locations: the network printer, and the retailer (say Best Buy, which, states in its return policy, “We electronically secure your information solely for the purpose of returns management, in accordance with state and federal laws regarding consumer privacy.”). So what happens if the printer gets hacked or the information simply downloaded?
Arthur Franklin, a 47-year-old New Yorker, was recently sentenced to nine years in jail for this type of cybertheft. He obtained copies of driver's licenses, then paid off employees at a Pennsylvania collection company to get the rest of the license holders' personal information. He and his gang of 24 then donned wigs and costumes to impersonate the drivers license holders and steal more than $700,000 from JP Morgan Chase banks in Manhattan and Brooklyn.
In another case, Terrance Chalk, CEO of a managed IT services company Compulinx, pleaded guilty in 2009 for stealing the identities of his own employees to obtain additional lines of credit. He had access to their personal information.
Records retrieval on a network printer, which generally isn't password-protected, can be done in seconds. So why not lock down the printer? It's a matter of convenience -- the required software (which print resellers say has more security holes in it than a successful prison break) is designed for ease-of-use by office management merely to remind them when to refresh the toner.
Security in 2012 still isn't just about keeping hackers off your database. On the contrary: Traditional methods of theft still lurk.